Why is 'Force User Authentication' disabled by default?

SonarQube -

I am curious why the Force User Authentication flag is disabled by default. This seems like a rather standard security control to have enabled. At the very least it would be nice to have it pointed out as part of the system installation since it is not what most people would expect.

Any insight the the thoughts behind this would be appreciated.


Welcome to the community!

The idea here allowing project stakeholders to have insight to the project’s Code Quality and Security and to it’s current releasability. The assumption is that anyone in your organization who can get to your SonarQube instance probably has an interest in its contents.

Specifically: the assumption is that you won’t be making the instance public unless you’ve got open source software, and that everyone who is behind your firewall with your SonarQube instance should be able to see the code.